From 3d8b0ac104dee68b47d9a4d2ef622e7f1acdd7a4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 27 Nov 2013 01:26:36 +0100
Subject: Reorganization.

---
 .../common-LDAP/files/etc/ldap/schema/fripost.ldif | 190 +++++++++++++++++++++
 .../files/var/lib/ldap/fripost/DB_CONFIG           |   5 +
 2 files changed, 195 insertions(+)
 create mode 100644 roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
 create mode 100644 roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG

(limited to 'roles/common-LDAP/files')

diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
new file mode 100644
index 0000000..851988e
--- /dev/null
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -0,0 +1,190 @@
+# Fripost's LDAP schema
+# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Load this file with
+#
+#   ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
+#
+# It will load the schema. To perform modifications, the easiest way is to
+#
+#  * Save the database:      slapcat -b 'o=mailHosting,dc=fripost,dc=dev' > /tmp/db.ldif
+#  * Save the configuration: slapcat -n0 > /tmp/config.ldif
+#  * Backup slap.d:          cp -a /etc/ldap/slapd.d/ /tmp/slap.d_back
+#  * Edit the schema in /tmp/config.ldif
+#  * Load the new config:    mkdir -m 0700 /tmp/slapd.d_new && slapadd -F /tmp/slapd.d_new -n0 -l /tmp/config.ldif
+#  * Stop slapd:             /etc/init.d/slapd stop
+#  * Load the new config:    rm -rf /etc/ldap/slapd.d/ && mv /tmp/slapd.d_new /etc/ldap/slapd.d && chown -R openldap:openldap /etc/ldap/slapd.d
+#  * Create indexes:         sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=dev'
+#  * Start slapd:            /etc/init.d/slapd start
+#    If it fails, remove the existing database and see what's wrong
+#                 rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'o=mailHosting,dc=fripost,dc=org' -l /tmp/db.ldif
+#
+#
+# /!\ WARN: All modification to the ACL should be reflected to the test
+# /!\ suite as well!
+#
+#
+# References:
+# - http://courier.svn.sourceforge.net/svnroot/courier/trunk/courier-authlib/authldap.schema
+# - http://www.qmail-ldap.org/wiki/index.php/Qmail.schema
+# - http://www.wanderingbarque.com/howtos/mailserver/mailserver.html
+
+
+# 1.3.6.1.4.1.40011        Fripost's OID
+# 1.3.6.1.4.1.40011.1
+# 1.3.6.1.4.1.40011.1.2    fripost LDAP Elements
+# 1.3.6.1.4.1.40011.1.2.1  AttributeTypes
+# 1.3.6.1.4.1.40011.1.2.2  ObjectClasses
+# 1.3.6.1.4.1.40011.1.2.3  Syntax Definitions
+
+# This schema depends on:
+# - core.schema
+# - cosine.schema
+# - nis.schema
+
+
+dn: cn=fripost-master,cn=schema,cn=config
+objectClass: olcSchemaConfig
+#
+# Attributes: 1.3.6.1.4.1.40011.1.1
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
+    DESC 'A virtual mail domain'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
+    DESC 'The local part of a virtual user, alias, list or list command'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+#
+# This is redundant since we always use DNs of the form
+#     fvl=localpart,fvd=domainpart.tld,...
+# (But Postfix doesn't allow the use of '%u' and '%d' from the query in
+# its 'result_format'.)
+# It is a priori insecure to allow arbitrary values here since users
+# will modify this value themselves, however our Postfix will only
+# accept well-formed values, enforced by a custom filter:
+#    query_filter = (&...(fripostLocalAlias=%u#%d))
+#    result_attribute = fripostLocalAlias
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostLocalAlias'
+    DESC 'A local alias, typically localpart#domainpart.tld'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostMaildrop'
+    DESC 'An email address the virtual alias should be mapped to'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+#
+# We are creating a new attribute, optional in virtual domains and
+# users, because the presence index should *not* apply to the
+# mandatory attribute above.
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostOptionalMaildrop'
+    DESC 'An optional email address for catch-all aliases on domains and users'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostIsStatusActive'
+    DESC 'When present, a token locking the entry in an inactive state'
+    EQUALITY booleanMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostPendingToken'
+    DESC 'Is the entry pending?'
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostUserQuota'
+    DESC 'The quota on a user e.g., "50MB"'
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddDomain'
+    DESC 'A user/domain that can add domains'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddAlias'
+    DESC 'A user/domain that can add aliases under the parent domain'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanAddList'
+    DESC 'A user/domain that can add lists under the parent domain'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner'
+    DESC 'A user that owns under parent domain'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster'
+    DESC 'A user that is a postmaster of the parent domain'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager'
+    DESC 'The list manager'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
+#
+#
+# Objects: 1.3.6.1.4.1.40011.1.2
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual'
+    AUXILIARY
+    DESC 'Virtual mail hosting'
+    MAY ( fripostCanAddDomain ) )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
+    SUP top STRUCTURAL
+    DESC 'Virtual domain'
+    MUST ( fvd $ fripostIsStatusActive )
+    MAY ( fripostCanAddAlias $ fripostCanAddList $
+          fripostOwner $ fripostPostmaster $
+          fripostOptionalMaildrop $ description ) )
+#
+# | TODO: add limits here
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
+    SUP top STRUCTURAL
+    DESC 'Virtual user'
+    MUST ( fvl $ userPassword $ fripostIsStatusActive )
+    MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
+    SUP top STRUCTURAL
+    DESC 'Virtual alias'
+    MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive )
+    MAY ( fripostOwner $ description ) )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
+    SUP top STRUCTURAL
+    DESC 'Virtual list'
+    MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
+    MAY ( fripostOwner $ description ) )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
+    SUP top STRUCTURAL
+    DESC 'Virtual list command'
+    MUST ( fvl $ fripostLocalAlias ) )
+#
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
+    SUP top AUXILIARY
+    DESC 'Virtual pending entry'
+    MAY ( fripostPendingToken ) )
diff --git a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG
new file mode 100644
index 0000000..0bd4e58
--- /dev/null
+++ b/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG
@@ -0,0 +1,5 @@
+set_cachesize 0 5242880 1
+# 5MB cachesize, allow defragmentation
+set_lk_max_objects 1500
+set_lk_max_locks 1500
+set_lk_max_lockers 1500
-- 
cgit v1.2.3